CE Advanced Network Security

Transcription

1 CE Advanced Network Security Lecture 3 Mehdi Kharrazi Department of Computer Engineering Sharif University of Technology Acknowledgments: Some of the slides are fully or partially obtained from other sources. Reference is noted on the bottom of each slide, when the content is fully obtained from another source. Otherwise a full list of references is provided on the last slide.

2 What s a Firewall Barrier between us and them. Limits communication to the outside world. The outside world can be another part of the same organization. Only a very few machines exposed to attack. Major firewall vendors: checkpoint, Cisco PIX/ASA [Bellovin 06] 2

3 Why Use Firewalls? Most hosts have security holes. Proof: Most software is buggy. Therefore, most security software has security bugs. Firewalls run much less code, and hence have few bugs (and holes). Firewalls can be professionally (and hence better) administered. Firewalls run less software, with more logging and monitoring. They enforce the partition of a network into separate security domains. Without such a partition, a network acts as a giant virtual machine, with an unknown set of privileged and ordinary users. [Bellovin 06] 3

4 Traditional Firewalls by Analogy Passports are (generally) checked at the border. My office doesn t have a door direct to the outside. Any way, what does firewall mean? Where does the name come from? [Bellovin 06] 4

5 Should We Fix the Network Protocols Instead? Network security is not the problem. Firewalls are not a solution to network problems. They are a network response to a host security problem. More precisely, they are a response to the dismal state of software engineering; taken as a whole, the profession does not know how to produce software that is secure, correct, and easy to administer. Consequently, better network protocols will not obviate the need for firewalls. The best cryptography in the world will not guard against buggy code. [Bellovin 06] 5

6 Firewall Advantages If you don t need it, get rid of it. No ordinary users, and hence no passwords for them Run as few servers as possible Install conservative software, don t get the latest fancy servers, etc. Log everything, and monitor the log files. Keep copious backups, including a Day 0 backup. Ordinary machines cannot be run that way. [Bellovin 06] 6

7 What a firewall cannot do Cannot protect you against malicious insiders. Cannot protect against connections that do not pass through it. Cannot protect against completely new threats. Cannot protect against viruses. [Memon 03] 7

8 Schematic of a Firewall Filter Filter Inside Gateway(s) Outside DMZ [Bellovin 06] 8

9 Conceptual Pieces An inside everyone on the inside is presumed to be a good guy An outside bad guys live there A DMZ (Demilitarized Zone) put necessary but potentially dangerous servers there [Bellovin 06] 9

10 The DMZ Good spot for things like mail and web servers Outsiders can send , retrieve web pages Insiders can retrieve , update web pages Must monitor such machines very carefully! [Bellovin 06] 10

11 Positioning Firewalls Firewalls protect administrative divisions. [Bellovin 06] 11

12 Why Administrative Domains? Firewalls enforce policy Policy follows administrative boundaries, not physical ones Example: separate protection domains for Legal, HR, Research, etc. [Bellovin 06] 12

13 Firewall Philosophies Block all dangerous destinations. Block everything; unblock things known to be both safe and necessary. Option 1 gets you into an arms race with the attackers; you have to know everything that is dangerous, in all parts of your network. Option 2 is much safer. [Bellovin 06] 13

14 Blocking Outbound Traffic? Many sites permit arbitrary outbound traffic, but... Internal bad guys? Extrusion detection? Regulatory requirements? Other corporate policy? [Bellovin 06] 14

15 Types of Firewalls Packet Filters Stateful Packet Filters Application Gateways Circuit Relays Personal and/or Distributed Firewalls Many firewalls are combinations of these types. [Bellovin 06] 15

16 Packet Filters 16

17 Packet Filters Router-based (and hence cheap). Individual packets are accepted or rejected; no context is used. Filter rules are hard to set up; the primitives are often inadequate, and different rules can interact. Packet filters a poor fit for ftp similar services. [Bellovin 06] 17

18 Running Without State We want to permit outbound connections We have to permit reply packets For TCP, this can be done without state The very first packet of a TCP connection has just the SYN bit set All others have the ACK bit set Solution: allow in all packets with ACK turned on [Bellovin 06] 18

19 Filtering Rules - Examples Policy Firewall Setting No outside Web access. Outside connections to public Web server only. Prevent Web-radios from eating up the available bandwidth. Prevent your network from being used for a Smurf DoS attack. Prevent your network from being tracerouted Drop all outgoing packets to any IP address, port 80 Drop all incoming TCP SYN packets to any IP except , port 80 Drop all incoming UDP packets - except DNS and router broadcasts. Drop all ICMP packets going to a broadcast address (eg ). Drop all outgoing ICMP [Ross 06] 19

20 Firewall Rules Setup Action: Permit (Pass) Allow the packet to proceed Deny (Block) Discard the packet Direction: Source (where the packet comes from) <IP Address, Port> or network Destination (where the packet goes) <IP Address, Port> or network Protocol: TCP, UDP Packet Flags: ACK, SYN, RST, etc. [Stavrou07] 20

21 Sample Rule Set We want to block a spammers, but allow anyone else to send to our gateway. block: theirhost = spammer allow: theirhost = any and theirport = any and ourhost = our-gw and ourport = 25. [Bellovin 06] 21

22 Incorrect Rule Set We want to allow all conversations with remote mail gateways. Allow: theirhost = any and theirport = 25 and ourhost = any and ourport = any. Problem? We don t control port number selection on the remote host. Any remote process on port 25 can call in. [Bellovin 06] 22

23 The Right Choice Allow: theirhost = any and theirport = 25 and ourhost = any and ourport = any and bitset(ack). Permit outgoing calls. [Bellovin 06] 23

24 Packet Filters and UDP UDP has no notion of a connection. It is therefore impossible to distinguish a reply to a query which should be permitted from an intrusive packet. Address-spoofing is easy no connections At best, one can try to block known-dangerous ports. But that s a risky game. The safe solution is to permit UDP packets through to known-safe servers only. [Bellovin 06] 24

25 UDP Example: DNS Accepts queries on port 53 Block if handling internal queries only; allow if permitting external queries [Bellovin 06] 25

26 ICMP Problems Often see ICMP packets in response to TCP or UDP packets Important example: Path MTU response Must be allowed in or connectivity can break Simple packet filters can t match things up [Bellovin 06] 26

27 FTP, SIP, et al. FTP clients (and some other services) use secondary channels Again, these live on random port numbers Simple packet filters cannot handle this [Bellovin 06] 27

28 FTP In active mode FTP: Client connects from a random unprivileged port (N > 1023) to the FTP server's command port, port 21. Client starts listening to port N+1 and sends the FTP command PORT N+1 to the FTP server. Server connects back to the client's specified data port from its local data port, which is port 20. Problem? [ 28

29 FTP Passive mode FTP: Client opens two random unprivileged ports locally (N > 1023 and N+1). The first port contacts the server on port 21 Instead of then issuing a PORT command, client issues the PASV command. Server opens a random unprivileged port (P > 1023) and sends the PORT P command back to the client. Client then initiates the connection from port N+1 to port P on the server to transfer data. [ 29

30 Saving FTP (summary) By default, FTP clients send a PORT command to specify the address for an inbound connection If the PASV command is used instead, the data channel uses a separate outbound connection If local policy permits arbitrary outbound connections, this works well [Bellovin 06] 30

31 The Role of Packet Filters Packet filters are not very useful as general-purpose firewalls That said, they have their place Several special situations where they re perfect [Bellovin 06] 31

32 Simplicity Packet filters are very simple, and can protect some simple environments Virtually all routers have the facility built in [Bellovin 06] 32

33 Point Firewalls Allow in ports 80 and 443. Block everything else. This is a Web server appliance it shouldn t do anything else! But it may have necessary internal services for site administration. [Bellovin 06] 33

34 Address Filtering At the border, block internal addresses from coming in from the outside Similarly, prevent fake addresses from going out [Bellovin 06] 34

35 Sample Configuration [Bellovin 06] 35

36 Sample Rules Interface Action Addr Port Flags Outside Block src= /16 Outside Block src= /24 Outside Allow dst=mail 25 Outside Block dst=dns 53 Outside Allow dst=dns UDP Outside Allow Any ACK Outside Block Any DMZ Block src!= /24 DMZ Allow dst= /16 ACK DMZ Block dst= /16 DMZ Allow Any Inside Block src!= /16 Inside Allow dst=mail 993 Inside Allow dst=dns 53 Inside Block dst= /24 Inside Allow Any [Bellovin 06] 36

37 Stateful Packet Filters 37

38 Stateful Packet Filters Most common type of packet filter Solves many but not all of the problems with simple packet filters Requires per-connection state in the firewall [Bellovin 06] 38

39 Keeping State When a packet is sent out, record that Associate inbound packet with state created by outbound packet [Bellovin 06] 39

40 Problems Solved Can handle UDP query/response Can associate ICMP packets with connection Solves some of the inbound/outbound filtering issues but state tables still need to be associated with inbound packets [Bellovin 06] 40

41 Network Address Translators Translates source address (and sometimes port numbers) Primary purpose: coping with limited number of global IP addresses Sometimes marketed as a very strong firewall is it? It s not really stronger than a stateful packet filter [Bellovin 06] 41

42 Basic NAT operation [Stavrou07] 42

43 Basic NAT operation [Stavrou07] 43

44 Basic NAT operation [Stavrou07] 44

45 Basic NAT operation [Stavrou07] 45

46 Basic NAT operation [Stavrou07] 46

47 Comparison Stateful Packet Filter Outbound Create state table entry. Inbound Look up state table entry; drop if not present NAT Outbound Create state table entry. Translate address. Inbound Look up state table entry; drop if not present. Translate address. The lookup phase and the decision to pass or drop the packet are identical; all that changes is whether or not addresses are translated. [Bellovin 06]

48 Acknowledgments/References [Bellovin 06] COMS W4180 Network Security Class Columbia University, Steven Bellovin, [Stavrou07] ISA 656, Network Security, Angelos Stavrou, Fall George Mason University. [Memon03] CS 392/682 Network Security, Nasir Memon, Spring Polytechnic University. 48